#!/bin/bash
#
# 检查前端 HTTPS 配置
# 作者: 知汛项目组
# 最后更新: 2024-11-07

# 颜色定义
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[0;31m'
NC='\033[0m'

# 默认配置
DOMAIN="ws.waterism.tech"
HTTP_PORT="8081"
HTTPS_PORT="8444"
VERBOSE=false

# 显示帮助
show_help() {
    cat << EOF
用法: $0 [选项]

检查前端 HTTPS 配置和服务状态

选项:
    --domain DOMAIN    域名（默认: ws.waterism.tech）
    --http-port PORT   HTTP端口（默认: 8081）
    --https-port PORT  HTTPS端口（默认: 8444）
    --verbose          显示详细信息
    --help             显示此帮助信息

示例:
    # 基本检查
    bash $0

    # 详细检查
    bash $0 --verbose
EOF
}

# 解析参数
while [[ $# -gt 0 ]]; do
    case $1 in
        --domain)
            DOMAIN="$2"
            shift 2
            ;;
        --http-port)
            HTTP_PORT="$2"
            shift 2
            ;;
        --https-port)
            HTTPS_PORT="$2"
            shift 2
            ;;
        --verbose)
            VERBOSE=true
            shift
            ;;
        --help)
            show_help
            exit 0
            ;;
        *)
            echo -e "${RED}未知参数: $1${NC}"
            show_help
            exit 1
            ;;
    esac
done

echo "======================================"
echo "前端 HTTPS 配置检查"
echo "======================================"
echo "域名: $DOMAIN"
echo "HTTP端口: $HTTP_PORT"
echo "HTTPS端口: $HTTPS_PORT"
echo ""

# 检查Docker容器
echo -e "${YELLOW}[1/5] 检查Docker容器...${NC}"

if docker ps | grep -q zhixun-app; then
    echo -e "${GREEN}✓ 容器运行正常${NC}"
    docker ps | grep zhixun-app
else
    echo -e "${RED}✗ 容器未运行${NC}"
    exit 1
fi

# 检查SSL证书文件
echo ""
echo -e "${YELLOW}[2/5] 检查SSL证书文件...${NC}"

SSL_DIR="/opt/ssl/zhixun-app"

if [ -d "$SSL_DIR" ]; then
    echo -e "${GREEN}✓ SSL目录存在: $SSL_DIR${NC}"
    
    if [ -f "$SSL_DIR/fullchain.pem" ] && [ -f "$SSL_DIR/privkey.pem" ]; then
        echo -e "${GREEN}✓ 证书文件完整${NC}"
        
        # 显示文件权限
        echo ""
        echo "证书文件权限:"
        ls -lh "$SSL_DIR/"
        
        # 显示证书信息
        if [ -f "$SSL_DIR/fullchain.pem" ]; then
            echo ""
            echo "证书信息:"
            openssl x509 -in "$SSL_DIR/fullchain.pem" -noout -subject -dates
        fi
    else
        echo -e "${RED}✗ 证书文件不完整${NC}"
        exit 1
    fi
else
    echo -e "${RED}✗ SSL目录不存在: $SSL_DIR${NC}"
    exit 1
fi

# 检查端口监听
echo ""
echo -e "${YELLOW}[3/5] 检查端口监听...${NC}"

# HTTP端口
if netstat -tlnp 2>/dev/null | grep -q ":$HTTP_PORT " || ss -tlnp 2>/dev/null | grep -q ":$HTTP_PORT "; then
    echo -e "${GREEN}✓ HTTP端口监听正常 ($HTTP_PORT)${NC}"
else
    echo -e "${RED}✗ HTTP端口未监听 ($HTTP_PORT)${NC}"
fi

# HTTPS端口
if netstat -tlnp 2>/dev/null | grep -q ":$HTTPS_PORT " || ss -tlnp 2>/dev/null | grep -q ":$HTTPS_PORT "; then
    echo -e "${GREEN}✓ HTTPS端口监听正常 ($HTTPS_PORT)${NC}"
else
    echo -e "${RED}✗ HTTPS端口未监听 ($HTTPS_PORT)${NC}"
fi

# 检查HTTP服务
echo ""
echo -e "${YELLOW}[4/5] 检查HTTP服务...${NC}"

HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" "http://localhost:$HTTP_PORT" 2>/dev/null || echo "000")

if [[ "$HTTP_CODE" =~ ^(200|301|302)$ ]]; then
    echo -e "${GREEN}✓ HTTP服务响应正常 (状态码: $HTTP_CODE)${NC}"
else
    echo -e "${RED}✗ HTTP服务异常 (状态码: $HTTP_CODE)${NC}"
fi

# 检查HTTPS服务
echo ""
echo -e "${YELLOW}[5/5] 检查HTTPS服务...${NC}"

HTTPS_CODE=$(curl -k -s -o /dev/null -w "%{http_code}" "https://localhost:$HTTPS_PORT" 2>/dev/null || echo "000")

if [[ "$HTTPS_CODE" =~ ^(200|301|302)$ ]]; then
    echo -e "${GREEN}✓ HTTPS服务响应正常 (状态码: $HTTPS_CODE)${NC}"
else
    echo -e "${RED}✗ HTTPS服务异常 (状态码: $HTTPS_CODE)${NC}"
fi

# 详细信息
if [ "$VERBOSE" = true ]; then
    echo ""
    echo -e "${YELLOW}详细信息...${NC}"
    
    echo ""
    echo "容器日志（最后20行）:"
    docker logs --tail 20 zhixun-app
    
    echo ""
    echo "Nginx配置测试:"
    docker exec zhixun-app nginx -t 2>&1 || echo "无法执行nginx -t"
    
    echo ""
    echo "证书链验证:"
    echo | openssl s_client -connect "$DOMAIN:$HTTPS_PORT" -servername "$DOMAIN" 2>/dev/null | grep -A 10 "Certificate chain"
fi

echo ""
echo -e "${GREEN}✓ 检查完成${NC}"
echo ""
echo "访问地址:"
echo "  HTTP:  http://$DOMAIN:$HTTP_PORT"
echo "  HTTPS: https://$DOMAIN:$HTTPS_PORT"

